Hackers Leak 500GB Trove of Data Stolen During LAUSD Ransomware Attack

Hackers have released a cache of data stolen during a cyberattack against the Los Angeles Unified School District (LAUSD) in what appears to be the biggest education breach in recent years. From a report: Vice Society, a Russian-speaking group that last month claimed responsibility for the ransomware attack that disrupted the LAUSD's access to email, computer systems and applications, published the data stolen from the school district over the weekend. The group had previously set an October 4 deadline to pay an unspecified ransom demand.

The stolen data was posted to Vice Society's dark web leak site and appears to contain personal identifying information, including passport details, Social Security numbers and tax forms. While TechCrunch has not yet reviewed the full trove, the published data also contains confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students. Vice Society, a group known for targeting schools and the education sector, included a message with the published data that said the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the government agency assisting the school in responding to the breach, "wasted our time."

without hacking insurance

[OrangeTide]

This will keep happening without some sort of liability protection for the damages that hackers can do to an organization. Once you start paying premiums and deductibles for insurance the insurance companies will respond by requiring some proof of security hygiene. Right now there is no real quarter-to-quarter financial incentive for anyone to take security seriously. We behave like this is all just an unavoidable act of God and anyone that trusted you with a bank account or credit card number is just SOL.

Everyone should sue LAUSD for letting someone steal the data. At some point someone should be held responsible. Finding the actual hackers is extremely unlikely.

Re:without hacking insurance

[memory_register]

It's the government - good luck suing them, or getting them to change.

Especially in California, especially especially in Los Angeles. The moment you call for reform the mayor and governor will call you a bigot.

Re:

[OrangeTide]

It's California. You can sue anyone.

We keep suing police departments and winning. But the police departments keep asking for more money instead of addressing their conduct.

Re:

[OrangeTide]

Settling is usually the best option for both sides. And when you don't have the expenses of a trial, the settlement stretches much further. I consider taking an action and having a million dollars to be a win, when not taking action would have netted you nothing. Trust me, getting the government to pay a settlement is very hard. They try everything else first before they cut a check.

Re:

[ArchieBunker]

In typical American fashion, the only thing forcing the cops to stop behaving badly is jacked up insurance premiums. https://archive.ph/nouOg [archive.ph]

Re:

[MIPSPro]

Maybe. As long as the police enjoy "qualified" (read "UNqualified") immunity, then they will probably behave badly. It's a lot easier to beat people up or shoot them when they won't do what you want rather than try to reason with them or respect their rights. I'd be surprised if there was single cop who didn't feel like the government had their back if they hurt or kill someone in the execution of their job duties (most of the time off-duty too, unless they hurt another cop). Then, whenever their support i

Re:without hacking insurance

[sabri]

We keep suing police departments and winning.

That's because those lawsuits are based on federal civil rights violations.

A lawsuit agains LAUSD will have two big problems:

1. Prove damages and their causation (actual and proximate)
2. Get around the "We're the government and not liable for torts" statutes.

But the police departments keep asking for more money instead of addressing their conduct.

Look at European police officers. If you look at my comment history, you'll see that I fled the EUSSR a few years ago.

However, one thing that most EU member states do get right is their police violence. Why would that be? In Europe, police departments:

- Properly screen applicants, including extensive phsychological tests;
- Properly train prospect officers;
- Properly supervise prospect officers prior to going solo;
- Properly pay police officers, so they don't get the assholes that can't get a job anywhere else;
- Properly provide continuous training to existing police officers;

And this costs money.

Spend more money on your police force's training and compensation, and you'll get a better police force.

Re:

[DarkOx]

In case you nobody has noticed the entire public education sector is DESIGNED at all levels to resist any accountability for anything. Not educational outcomes, not even the health and safety of students, and certainly not other forms of negligence.

Law enforce is the bush leagues when it comes to CYA. "Wont somebody think of the children" has been a thing for as long as we've had public schools, nobody really cared much about how the accused were treated until maybe the late 60s.

Someone may sue, the suit m

Re:

[sfcat]

he persons directly negligent were probably contractors,

We hope. I know of another case in CA where the school system had students do the IT work and basically gave them a degree (and no education). In case you wanted to know just how bad this can get. The educational system has never been known for good administration.

Re:without hacking insurance

[OrangeTide]

Spend more money on your police force's training and compensation, and you'll get a better police force.

In the US we gave the police departments discounts on surplus military equipment. With exactly the results you'd expect when transforming a civil organization into a paramilitary one.

I've grown weary of the whole "better training" trope after every incident. Some of our cities are spending up to 20% of their revenue on police pensions. And we require many hours of training from police officers every year. At some point you come to realize we're just throwing good money after bad. Setting aside the pension programs, the day to day operations in most cities is around 9% of the budget on average. This works out to around $180K/year per police officer. Some of that is salary and equipment, and some of that is training. Most jurisdictions have some level of budget oversight that the public can see easily, not that it seems to motivate people to look.

It's like fight fire with fire. So you can only fight crime with more crime. Everyone knows that. At least everyone who is making decisions here seems to behave that way.

P.S. The often parroted phrase of "just one bad apple" shows just how out of touch the American public, political leaders, and media are to the problems. Because one bad apple spoils the whole bunch.

Re:

[sfcat]

The problem with police (and the public schools) is that they are a public sector unions. The government makes nuclear weapons (sort of, they did the research) and does all sorts of impressive things. You think they can't run a school or a local police force? When you unionize government workers, everything falls apart. Private unions are an entirely different animal.

Re:

[unimind]

Everyone should sue LAUSD for letting someone steal the data.

Yes, indeed. And in the process maybe they should be forced to publish all security and data storage protocols in use at the time, maybe include identifying information of any vendors whose lack of competence may have contributed to the breach. I'm sick of hearing about publicly funded institutions getting compromised and then finding out some part of their infrastructure was outsourced to a private company who couldn't bother to keep their server software up to date and is never held accountable for their

Re:

[Darinbob]

That would be useful. The fault isnt with the schools for trusting their vendors, because there are a lot of shady vendors out there ready and willing to take advantage of organizations. How do schools put in the necessary due diligence without outsourcing even that to outside vendors?

Re:

[vivian]

The problem with using the threat of being sued as a deterrent, is that since it is practically impossible to make anything completely bug free and hack proof, the legal risk arising from storing data would mean that all but the best funded institutions would need to go back to storing data on paper or something instead of keeping it electronically - expecially when courts can assign all kinds of crazy high punitive amounts that could completely bankrupt a company.
Stronger action against hackers, a

Re:

[Darinbob]

That should be low priority. High priority is to punish the thieves. You cannot excuse that behavior. If you leave your door unlocked it does not mean everyone is allowed to walk away with your stuff. So we need to ask Putin to please put his cronies in jail for this act!

Re:without hacking insurance

[OrangeTide]

We're a nation of multiple people. We can do more than one thing at once. We don't have to walk through priorities sequentially. We have so many resources we don't even have to debate the issues in order, nor do we need to debate their "priority".

I lived in a big city for half my life. When a bike gets stolen we don't walk for the next 10 years waiting for the thieves to be caught and the bike returned. We buy a new bicycle and move on with our lives. Maybe vote in ways that let cops be rough with the bike thieves.

P.S. I bought too expensive of a bike lock. it was heavy and someone managed to open it anyway. They took the lock with the bike. After a few phone calls I found out that the $25,000 warranty only worked if I sent back a defective lock.

Re: without hacking insurance

[flyingfsck]

Is any of the data actually useful to crooks - apart from the embarrassment factor?

Re:

[Petersko]

If they can't afford the cost of protecting themselves as is, they certainly can't afford that same cost, plus insurance.

Re:

[Canberra1]

The insurance company should NOT pay anything, until contributory negligence is determined. All they got to do is see who signed off on IT security, and keep on digging. The deterrent is to publish (embarrassment factor) what went wrong. Presently they just howl - we outsourced it to some external people, whinge - all their fault. After (Optus Australia) there is a stubborn streak in not admitting the W's When, Who, How, What(specifics) and Why. While the publishing of this is particularly nasty, USA actua

Not the least bit surprised

[Indy1]

20+ years ago (2000), my senior project for my undergraduate degree was rebuilding the entire network and server infrastructure for a high school that is a part of LAUSD.

It was a complete disaster before my team rebuilt everything (2 Windows NT DHCP servers that were conflicting with each other, a file server that was being run on Windows 98, etc ).

I have no doubt LAUSD is just as incompetent now IT wise as they were back then.

Re:

[GoTeam]

20+ years ago (2000) ..., a file server that was being run on Windows 98, etc ).

heh, for a second I thought to myself, "why is this guy bitching about an operating system that was still relatively new?". Then I realized the service being utilized on that desktop OS was a file server. Please tell me it was running on an e-Machine computer. That would be icing on the crap cake!

Phishing and impersonation

[Huitzil]

The attack vectors through social engineering remain absurdly open. One highly overlooked vulnerability is that system credentials are distributed to relatively early career stage sys admins to run day to day operations. I am not always sure that the powers that be understand that their staffing strategies - which are sometimes heavy on outsourcing and contractor use - are most always the culprit in modern day vulnerabilities.

It's super shitty to leak student psych data

[Somervillain]

It's odd that I don't see a comment yet about people upset the hackers are making sensitive data about minors. Look Hackers are criminal, but I always assumed there was a bit of professionalism to them. They're after money, not harming students. It would have been just as embarrassing to leak payroll data or the non-psychological data.

It's just depressingly shitty these Russians wanted to harm innocent students when there were plenty of other targets they could have harmed just as profitably. It add

Re: It's super shitty to leak student psych data

[flyingfsck]

Well, Russians are not exactly known for avoiding harm to children and have destroyed many schools in Ukraine for example.

Passport Details?

[bjwest]

Why does the school district have passport details?

Re:

[ladydi89]

Some people use their passport as ID, This is especially true of minors or anyone who doesn't have a driver's license.

That's a pretty terrifying list of artifacts

[Petersko]

Clearly they didn't get what they wanted. However, they essentially monetized what they had by releasing it - now school districts have a look at what could actually be released. They gave up this payoff to make others more likely to be paid.

Shitty people... good business...

Put a $10mil bounty on hackers' heads

[Tablizer]

Han would shoot first.

What?

[groobly]

What? All those diversity hires didn't stop a ransomware attack? Need more diversity hires.